Field
Embodiments presented herein generally relate to techniques for computer security. More specifically, techniques are disclosed for increasing the performance of online certificate status protocol responses to relying parties using a content delivery network.
Description of the Related Art
Online certificate status protocol (OCSP) is a method of delivering a status of a digital certificate to a relying party. When an OCSP request for a certificate is received, a certificate authority sends a digitally signed OCSP response to the relying party. Such a response indicates whether the certificate is valid, invalid, revoked, etc. Once signed, an OCSP response is valid and correct for a specified period of time, e.g., seven days, or until the certificate is revoked.
A large commercial certificate authority may issue thousands, or even millions, of certificates. In such cases, it may be impractical for a certificate authority to send OCSP responses to relying parties directly. Instead, the certificate authority may rely on a content delivery network (CDN) as a front-end distributor of OCSP responses. As is known, web services use CDNs to distribute content to end-users with high availability and performance. CDNs may include computer servers deployed in multiple locations to reduce bandwidth costs, page load times, and increase the availability of content. Upon receiving content from an origin server for distribution to an end-user, a server caches the content before sending it to the end-user. Because the content provided by CDNs is typically static or otherwise slowly-changing, certificate authorities are able to adopt the CDN to distribute the OCSP responses to relying parties.
However, current approaches by certificate authorities using CDNs to distribute responses raise several concerns. For example, although OCSP responses may remain valid for a certain period of time, a certificate authority may revoke the underlying certificate before the certificate expires. Because CDNs cache OCSP responses ahead of time, the OCSP response on the CDN may still indicate that the certificate is valid despite the certificate authority indicating otherwise (i.e., the OCSP response on the CDN servers is incorrect). Another concern is that when a signed OCSP response expires, the CDN removes the response from the cache and a relying party must then retrieve an updated OCSP response from the origin server of the CDN, which can degrade response times.